CN109617745B - Alarm prediction method, device, system and storage medium - Google Patents

Alarm prediction method, device, system and storage medium Download PDF

Info

Publication number
CN109617745B
CN109617745B CN201910025698.5A CN201910025698A CN109617745B CN 109617745 B CN109617745 B CN 109617745B CN 201910025698 A CN201910025698 A CN 201910025698A CN 109617745 B CN109617745 B CN 109617745B
Authority
CN
China
Prior art keywords
alarm
alarms
frequent
historical
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910025698.5A
Other languages
Chinese (zh)
Other versions
CN109617745A (en
Inventor
陈泉伯
陆兴海
胡升跃
刘建坡
丁强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cloudwise Beijing Technology Co Ltd
Original Assignee
Cloudwise Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cloudwise Beijing Technology Co Ltd filed Critical Cloudwise Beijing Technology Co Ltd
Priority to CN201910025698.5A priority Critical patent/CN109617745B/en
Publication of CN109617745A publication Critical patent/CN109617745A/en
Application granted granted Critical
Publication of CN109617745B publication Critical patent/CN109617745B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The invention provides an alarm prediction method, an alarm prediction device, an alarm prediction system and a storage medium, which are applied to the field of operation and maintenance monitoring and realize early warning of faults, wherein the method comprises the following steps: acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type; acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in a preset first time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms; according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, the alarm related to the currently generated alarm is announced, and the probability of occurrence of the related alarm is larger than the first threshold value.

Description

Alarm prediction method, device, system and storage medium
Technical Field
The present invention relates to the field of operation and maintenance monitoring, and in particular, to a method, an apparatus, a system, and a storage medium for alarm prediction.
Background
The operation and maintenance monitoring is a general name of a series of IT management products, and the products contained in the operation and maintenance monitoring system have the advantages of strong functions, easy use and complete solutions, and can meet various IT management requirements of users in a one-stop manner.
More and more customers are considering or adopting a business-intensive approach. However, after the business system is centralized, not only the working intensity of operation and maintenance is increased, but also the centralized system becomes more complicated. An effective system and an application monitoring system become keys for knowing service resource use conditions, timely discovering hidden dangers which may cause system faults and realizing system operation guarantee.
In actual operation and maintenance, faults often do not exist independently. Under the conventional operation and maintenance mode, the influence of faults cannot be predicted and judged, and the faults which are possibly generated cannot be early warned, and only after the faults are generated, the operation and maintenance personnel can process the faults.
Disclosure of Invention
The invention provides an alarm prediction method, an alarm prediction device, an alarm prediction system and a storage medium, aiming at the problem that the prior art can not realize early warning of faults.
In a first aspect, an embodiment of the present invention provides an alarm prediction method, including: acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type; acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in preset time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms; according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, the alarm related to the currently generated alarm is announced, and the probability of occurrence of the related alarm is larger than the first threshold value.
In one optional embodiment, the obtaining a sample set of historical alert sequences includes: acquiring root cause alarms from a historical alarm data set, wherein the occurrence frequency of the root cause alarms is greater than a preset first frequency threshold; acquiring alarm data meeting a preset first condition from the historical alarm data set according to the root cause alarm, wherein the alarm data comprises a plurality of alarms meeting the first condition with the root cause alarm; acquiring target alarms according to the occurrence frequency of the alarm data meeting the preset first condition and a preset second frequency threshold, wherein the occurrence frequency of the target alarms is greater than the second frequency threshold; aggregating target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold.
In one optional embodiment, the obtaining a root cause alarm from the historical alarm data set includes: scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index; determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data; and obtaining root cause alarms according to the frequency of each type of historical alarms and the first frequency threshold.
In one optional embodiment, the aggregating target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence includes: scanning a target alarm data set corresponding to root cause alarms of the same class to construct a target alarm sample set, wherein the target alarm sample set comprises a pointer list and a necklace table corresponding to the pointer list, and the pointer list comprises at least one target alarm identifier, occurrence frequency corresponding to the alarm identifier and a pointer pointing to a corresponding item linked list; for each target alarm, acquiring a corresponding condition mode base, wherein the condition mode base is a set of paths ending in the target alarm; determining a frequent alarm in the set of paths, the frequent alarm being an alarm in the set of paths that occurs more frequently than the second threshold; and deleting target alarms in the set of paths, wherein the frequency of the target alarms in the set of paths is less than the second threshold value, and updating the target alarm sample set to form the historical alarm sequence sample set.
In one optional embodiment, the scanning a target alarm data set corresponding to a same type of root cause alarm to construct a target alarm sample set includes: scanning the alarm data, and arranging the target alarm identifications in the pointer list by taking a second condition as a sequence according to a preset second condition; and constructing the target alarm sample set according to the pointer list.
In one optional embodiment, the notifying of the alarm associated with the currently generated alarm according to the currently generated alarm, the sample set of historical alarm sequences, and the preset first threshold includes: according to the identification corresponding to the currently generated alarm, finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set; acquiring a prefix, and extracting a corresponding projection database from the corresponding frequent alarm sequence; calculating the occurrence probability of each alarm in the projection database, and deleting the alarm identification with the occurrence probability smaller than the first threshold value so as to update the corresponding frequent alarm sequence; respectively binding the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, finding out projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence, and executing calculation and deletion actions until the projection data are empty; the reserved warning is announced.
In a second aspect, an embodiment of the present invention provides an alarm prediction apparatus, including:
the first acquisition unit is used for acquiring the currently generated alarm, wherein the alarm is a message list formed by compressing the same type of alarm messages;
the second acquisition unit is used for acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in preset time, each frequent alarm sequence corresponds to one root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets related to the root cause alarms;
and the notification unit is used for notifying the alarm associated with the currently generated alarm according to the currently generated alarm acquired by the first acquisition unit, the historical alarm sequence sample set acquired by the second acquisition unit and a preset first threshold, wherein the occurrence probability of the associated alarm is greater than the first threshold.
In an optional embodiment, the second obtaining unit includes:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring root cause alarms from a historical alarm data set, and the frequency of the root cause alarms is greater than a preset first frequency threshold;
a second obtaining module, configured to obtain, according to the root cause alarm obtained by the first obtaining module, alarm data meeting a preset first condition from the historical alarm data set, where the alarm data includes multiple alarms meeting the first condition with the root cause alarm;
the third acquisition module is used for acquiring target alarms according to the frequency of occurrence of the alarm data which meets the preset first condition and is acquired by the second acquisition module and a preset second frequency threshold, wherein the frequency of occurrence of the target alarms is greater than the second frequency threshold;
and the aggregation module is used for aggregating the target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold value.
In one optional embodiment, the first obtaining module is specifically configured to:
scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index;
determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data;
obtaining root cause alarms according to the occurrence frequency of each type of historical alarms and the first frequency threshold;
in one optional embodiment, the aggregation module is specifically configured to:
scanning a target alarm data set corresponding to root cause alarms of the same class to construct a target alarm sample set, wherein the target alarm sample set comprises a pointer list and a necklace table corresponding to the pointer list, and the pointer list comprises at least one target alarm identifier, occurrence frequency corresponding to the alarm identifier and a pointer pointing to a corresponding item linked list;
for each target alarm, acquiring a corresponding condition mode base, wherein the condition mode base is a set of paths ending in the target alarm;
determining a frequent alarm in the set of paths, the frequent alarm being an alarm in the set of paths that occurs more frequently than the second threshold;
and deleting target alarms in the set of paths, wherein the frequency of the target alarms in the set of paths is less than the second threshold value, and updating the target alarm sample set to form the historical alarm sequence sample set.
In an optional embodiment, the notification unit includes:
the searching module is used for finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set according to the identifier corresponding to the currently generated alarm;
the fourth acquisition module is used for acquiring prefixes and extracting corresponding projection databases from the corresponding frequent alarm sequences;
the execution module is used for calculating the probability of each alarm in the projection database, and deleting the alarm identification with the probability of occurrence smaller than the first threshold value so as to update the corresponding frequent alarm sequence;
the execution module is further configured to bind the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, and find projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence; executing calculation and deletion actions until the projection data are empty;
and the notification module is used for notifying the reserved warning.
In a third aspect, an embodiment of the present invention provides an alarm prediction system, which includes a memory, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by one or more processors, and the one or more programs include instructions for:
acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type;
acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in preset time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms;
according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, the alarm related to the currently generated alarm is announced, and when the probability of occurrence of the related alarm is larger than the first threshold value.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the alarm prediction method as claimed in the claims above.
According to the alarm prediction method, the alarm prediction device, the alarm prediction system and the storage medium, the alarm related to the current generated alarm is announced according to the current generated alarm, the historical alarm sequence sample set and a preset first threshold, and when the probability of occurrence of the related alarm is greater than the first threshold, the alarm prediction method, the device and the system are used for predicting the alarm. The historical alarm sequence sample set is obtained through data precipitation for a period of time, and other faults which have probability in a short period can be effectively notified together when the faults occur, so that operation and maintenance personnel can prevent the faults in the bud to a certain degree in daily work, and the overall operation quality of the system is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flow chart of an alarm warning method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an alarm warning method according to another embodiment of the present invention;
FIG. 3 is a schematic flow chart of step 205 of the alarm alerting method shown in FIG. 2;
FIG. 4 is a schematic flow chart of step 206 of the alarm alerting method shown in FIG. 2;
fig. 5 is a schematic structural diagram of an alarm early warning device according to an embodiment of the present invention.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The following describes the technical solutions of the present invention and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of an alarm prediction method according to an embodiment of the present invention. As shown in fig. 1, the method includes:
step 101, acquiring a currently generated alarm.
The alarm is a message list formed by compressing the same type of alarm messages.
In an embodiment, the acquiring the currently generated alarm includes determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the received alarm message; if the alarm corresponding to the alarm message exists, updating the corresponding alarm according to the alarm message; and if the alarm corresponding to the alarm message does not exist, establishing a corresponding alarm according to the alarm message.
In an embodiment, the determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message includes: extracting a classification key field according to the alarm message; if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present.
In an embodiment, the classification key fields may include, but are not limited to, an object field for representing an object and/or a metric field for representing a monitoring metric.
Step 102, obtaining a historical alarm sequence sample set.
The historical alarm sequence sample set comprises a plurality of frequent alarm sequences in a preset time, each frequent alarm sequence corresponds to one root cause alarm, and the frequent alarm sequence comprises a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms.
103, according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold, notifying an alarm associated with the currently generated alarm, wherein the probability of occurrence of the associated alarm is greater than the first threshold.
According to the alarm prediction method provided by the invention, the alarm related to the current generated alarm is announced according to the current generated alarm, the historical alarm sequence sample set and a preset first threshold, and when the probability of the related alarm is greater than the first threshold, the alarm related to the current generated alarm is announced. The historical alarm sequence sample set is obtained through data precipitation for a period of time, and other faults which have probability in a short period can be effectively notified together when the faults occur, so that operation and maintenance personnel can prevent the faults in the bud to a certain degree in daily work, and the overall operation quality of the system is improved.
On the basis of the foregoing embodiment, in order to further explain the alarm prediction method provided by the present invention, fig. 2 is a schematic flow chart of an alarm prediction method provided by another embodiment of the present invention. As shown in fig. 2, the method includes:
step 201, acquiring the currently generated alarm. The specific implementation is the same as step 101, and is not described herein again.
Step 202, a root cause alarm is obtained from the historical alarm data set.
The frequency of the root cause alarm is greater than a preset first frequency threshold value.
The historical alert data includes classification key fields including an object field for representing an object and/or an index field for representing a monitoring index.
In one embodiment, the historical alert data may include a level, a creation time, a duration, an alert source, an object field, and a monitoring metrics field.
In an embodiment, the step 202 may include: scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index; determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data; and obtaining root cause alarms according to the frequency of each type of historical alarms and the first frequency threshold. For example: all alarm data is given within a certain time period, for example, 7 days (corresponding to the first time), for example, 10 ten thousand pieces of alarm data are included, wherein 5000 pieces of alarms of different types are included, each type of alarm includes at least one alarm, the alarms included in each type of alarm have the same classification key field, but the time points of occurrence of the alarms included in each type of alarm may be different, and the frequency of occurrence of each type of alarm is counted. For example, when the first frequency threshold is set to 3, it is necessary to delete the similar alarms with the number of alarms less than 3 from among 5000 different types of alarms, and the remaining similar alarms are root cause alarms. The first frequency threshold value is only an example, and may be determined according to actual situations.
Step 203, according to the root cause alarm, obtaining alarm data meeting a preset first condition from the historical alarm data set, where the alarm data includes a plurality of alarms meeting the first condition with the root cause alarm.
In this embodiment, the preset first condition may be related to time, or may be related to other conditions that may form an association relationship, and is not limited herein.
Illustratively, for each root cause alarm found, alarm data meeting a preset first condition (e.g., within 1 hour of occurrence of the root cause alarm) is found in the historical alarm data set. If this happens 1000 times, as for example alarm a, then one dataset is found each time within 1 hour after it has occurred. Such as a1Alarms correspond to (b, v, g, d, s, a, r, y, d, s, a, d, d), a2Corresponding to (g, e, s, a, d, d, t, s, c, s), … …, a1000Corresponding to (r, w, s, s, f, u, d, d, o, e, s).
And 204, obtaining target alarms according to the occurrence frequency of the alarm data meeting the preset first condition and a preset second frequency threshold, wherein the occurrence frequency of the target alarms is greater than the second frequency threshold.
In an embodiment, the step 204 specifically includes obtaining alarm data meeting the first condition, and determining the frequency of occurrence of each alarm. And screening out the alarms with the occurrence frequency larger than the second frequency threshold value as target alarms, and deleting the alarms with the occurrence frequency smaller than or equal to the second frequency threshold value.
In particular, the implementation can be carried out in a scanning mode. The scan results can be presented in Table 1
Table 1: scanning acquired target alerts
Root cause alarm a Alarm meeting preset first condition Target alarm (second frequency threshold 2)
001 r,z,h,j,p z,r
002 z,y,x,w,v,u,t,s z,x,y,t,s
003 z z
004 r,x,n,o,s x,s,r
005 y,r,x,z,q,t,p z,x,y,t,r
006 y,z,x,e,q,s,t,m z,x,y,t,s
Step 205, aggregating the target alarms corresponding to the root cause alarms of the same class to generate a frequent alarm sequence, where the frequency of the frequent alarms included in the frequent alarm sequence appearing in the path set ending with the target alarm is greater than a preset second threshold.
In one embodiment, the step 205, as shown in fig. 3, includes:
and step 2051, scanning a target alarm data set corresponding to the root cause alarms of the same type, and constructing a target alarm sample set.
In an embodiment, the target alarm sample set includes a pointer list and a necklace list corresponding to the pointer list, where the pointer list includes at least one target alarm identifier, a frequency of occurrence corresponding to the alarm identifier, and a pointer pointing to a corresponding necklace list.
In an embodiment, the specific implementation of step 2051 includes scanning the alarm data, and arranging the target alarm identifiers in the pointer list according to a preset second condition, where the preset second condition is a sequence; and constructing the target alarm sample set according to the pointer list.
Step 2052, for each target alarm, a corresponding conditional mode base is obtained, where the conditional mode base is a set of paths ending with the target alarm.
Corresponding to the above example, the conditional mode base for each target alarm is represented by table 2.
Table 2: conditional mode base for target alert
Target alert Conditional mode base
z {}
x {z}
y {z,x}
t {z,x,y}
s {z},{z,x,y,t},{x}
r {z},{z,x,y,t},{x,s}
And step 2053, determining frequent alarms in the set of paths, wherein the frequent alarms are alarms with frequency greater than the second threshold value in the set of paths.
Taking the target alarm r as an example for screening, the three prefix paths (conditional pattern bases) of r are { z }, { z, x, y, t }, { x, s }, respectively, where the second threshold is intended to be 2, then y, t, s are filtered out, leaving { z }, { z, x }, and { x }. y, s, t are part of the conditional mode base, but do not satisfy the setting of the second threshold, i.e. they are not frequent for r. Specifically, y → t → r and s → r occur in 1 frequency, so y, t, s are infrequent for the condition of r.
And step 2054, deleting the target alarms with the frequency less than the second threshold in the set of paths, and updating the target alarm sample set to form the historical alarm sequence sample set.
And 206, notifying the alarm associated with the currently generated alarm according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold.
In one embodiment, the step 206, as shown in fig. 4, may include:
step 2061, according to the identifier corresponding to the currently generated alarm, finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set;
step 2062, obtaining the prefix, and extracting the corresponding projection database from the corresponding frequent alert sequence.
In this embodiment, when prefix acquisition is performed for the first time, the prefix is an identifier corresponding to each target alarm included in the frequent alarm sequence.
Step 2063, calculating the probability of each alarm appearing in the projection database, and deleting the alarm identifier with the probability of appearing smaller than the first threshold value so as to update the corresponding frequent alarm sequence.
Step 2064, binding the identifier of the current prefix with the identifier of each reserved alarm to form a new prefix, finding out the projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence, and executing calculation and deletion actions until the projection data is empty.
Step 2065, annunciate the reserved warning.
By using the method and the device, after the data settling period of about 1 month, the possible faults in the future 1 hour can be predicted when the common faults occur, the accuracy rate reaches more than 70%, and the fault rate of a service system is effectively reduced by more than 30%.
According to the alarm prediction method provided by the invention, the alarm related to the current generated alarm is announced according to the current generated alarm, the historical alarm sequence sample set and a preset first threshold, and when the probability of the related alarm is greater than the first threshold, the alarm related to the current generated alarm is announced. The historical alarm sequence sample set is obtained through data precipitation for a period of time, and other faults which have probability in a short period can be effectively notified together when the faults occur, so that operation and maintenance personnel can prevent the faults in the bud to a certain degree in daily work, and the overall operation quality of the system is improved.
Fig. 5 is a diagram of an alarm prediction apparatus according to another embodiment of the present invention, including:
a first obtaining unit 51, configured to obtain a currently generated alarm, where the alarm is a message list formed by compressing alarm messages of the same type;
a second obtaining unit 52, configured to obtain a historical alarm sequence sample set, where the historical alarm sequence sample set includes a plurality of frequent alarm sequences within a preset time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequence includes a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms;
in an optional embodiment, the second obtaining unit includes: first acquisition module, second acquisition module, third acquisition module and polymerization module, it is specific:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring root cause alarms from a historical alarm data set, and the frequency of the root cause alarms is greater than a preset first frequency threshold;
in one optional embodiment, the first obtaining module is specifically configured to: scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index; determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data; and obtaining root cause alarms according to the frequency of each type of historical alarms and the first frequency threshold.
A second obtaining module, configured to obtain, according to the root cause alarm obtained by the first obtaining module, alarm data meeting a preset first condition from the historical alarm data set, where the alarm data includes multiple alarms meeting the first condition with the root cause alarm;
the third acquisition module is used for acquiring target alarms according to the frequency of occurrence of the alarm data which meets the preset first condition and is acquired by the second acquisition module and a preset second frequency threshold, wherein the frequency of occurrence of the target alarms is greater than the second frequency threshold;
and the aggregation module is used for aggregating the target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold value.
In one optional embodiment, the aggregation module is specifically configured to: scanning a target alarm data set corresponding to root cause alarms of the same class to construct a target alarm sample set, wherein the target alarm sample set comprises a pointer list and a necklace table corresponding to the pointer list, and the pointer list comprises at least one target alarm identifier, occurrence frequency corresponding to the alarm identifier and a pointer pointing to a corresponding item linked list; for each target alarm, acquiring a corresponding condition mode base, wherein the condition mode base is a set of paths ending in the target alarm; determining a frequent alarm in the set of paths, the frequent alarm being an alarm in the set of paths that occurs more frequently than the second threshold; and deleting target alarms in the set of paths, wherein the frequency of the target alarms in the set of paths is less than the second threshold value, and updating the target alarm sample set to form the historical alarm sequence sample set.
The notifying unit 53 is configured to notify an alarm associated with the currently generated alarm according to the currently generated alarm acquired by the first acquiring unit, the historical alarm sequence sample set acquired by the second acquiring unit, and a preset first threshold, where a probability of occurrence of the associated alarm is greater than the first threshold.
In an optional embodiment, the notification unit includes:
the searching module is used for finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set according to the identifier corresponding to the currently generated alarm;
the fourth acquisition module is used for acquiring prefixes and extracting corresponding projection databases from the corresponding frequent alarm sequences;
the execution module is used for calculating the probability of each alarm in the projection database, and deleting the alarm identification with the probability of occurrence smaller than the first threshold value so as to update the corresponding frequent alarm sequence;
the execution module is further configured to bind the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, and find projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence; executing calculation and deletion actions until the projection data are empty;
and the notification module is used for notifying the reserved warning.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and corresponding beneficial effects of the apparatus described above may refer to the corresponding process in the foregoing method embodiments, and are not described herein again.
According to the alarm prediction device provided by the invention, the alarm related to the current generated alarm is notified according to the current generated alarm, the historical alarm sequence sample set and a preset first threshold, and when the probability of occurrence of the related alarm is greater than the first threshold, the alarm related to the current generated alarm is notified. The historical alarm sequence sample set is obtained through data precipitation for a period of time, and other faults which have probability in a short period can be effectively notified together when the faults occur, so that operation and maintenance personnel can prevent the faults in the bud to a certain degree in daily work, and the overall operation quality of the system is improved.
In one embodiment, the present invention provides an alarm prediction system comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs including instructions for:
acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type;
acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in preset time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms;
according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, the alarm related to the currently generated alarm is announced, and when the probability of occurrence of the related alarm is larger than the first threshold value.
Another embodiment of the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the alarm prediction method as claimed above.
According to the alarm prediction system and the storage medium provided by the invention, the alarm related to the current generated alarm is announced according to the current generated alarm, the historical alarm sequence sample set and a preset first threshold, and when the probability of occurrence of the related alarm is greater than the first threshold, the alarm prediction system and the storage medium can be used for predicting the alarm of the current generated alarm. The historical alarm sequence sample set is obtained through data precipitation for a period of time, and other faults which have probability in a short period can be effectively notified together when the faults occur, so that operation and maintenance personnel can prevent the faults in the bud to a certain degree in daily work, and the overall operation quality of the system is improved.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (9)

1. An alarm prediction method, comprising:
acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type;
acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in a preset first time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms;
according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, notifying an alarm associated with the currently generated alarm, wherein the probability of occurrence of the associated alarm is greater than the first threshold value;
wherein the obtaining a sample set of historical alert sequences comprises:
acquiring root cause alarms from a historical alarm data set, wherein the occurrence frequency of the root cause alarms is greater than a preset first frequency threshold;
acquiring alarm data meeting a preset first condition from the historical alarm data set according to the root cause alarm, wherein the alarm data comprises a plurality of alarms meeting the first condition with the root cause alarm;
acquiring target alarms according to the occurrence frequency of the alarm data meeting the preset first condition and a preset second frequency threshold, wherein the occurrence frequency of the target alarms is greater than the second frequency threshold;
aggregating target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold;
wherein the notifying of the alarm associated with the currently generated alarm based on the currently generated alarm, the sample set of historical alarm sequences, and a preset first threshold comprises:
according to the identification corresponding to the currently generated alarm, finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set;
acquiring a prefix, and extracting a corresponding projection database from the corresponding frequent alarm sequence;
calculating the occurrence probability of each alarm in the projection database, and deleting the alarm identification with the occurrence probability smaller than the first threshold value so as to update the corresponding frequent alarm sequence;
respectively binding the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, finding out projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence, and executing calculation and deletion actions until the projection data are empty;
the reserved warning is announced.
2. The method of claim 1, wherein obtaining root cause alarms from a historical alarm data set comprises:
scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index;
determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data;
and obtaining root cause alarms according to the frequency of each type of historical alarms and the first frequency threshold.
3. The method of claim 1, wherein aggregating target alarms corresponding to the same class of root cause alarms to generate a frequent alarm sequence comprises:
scanning a target alarm data set corresponding to root cause alarms of the same class to construct a target alarm sample set, wherein the target alarm sample set comprises a pointer list and a necklace table corresponding to the pointer list, and the pointer list comprises at least one target alarm identifier, occurrence frequency corresponding to the alarm identifier and a pointer pointing to a corresponding item linked list;
for each target alarm, acquiring a corresponding condition mode base, wherein the condition mode base is a set of paths ending in the target alarm;
determining a frequent alarm in the set of paths, the frequent alarm being an alarm in the set of paths that occurs more frequently than the second threshold;
and deleting target alarms in the set of paths, wherein the frequency of the target alarms in the set of paths is less than the second threshold value, and updating the target alarm sample set to form the historical alarm sequence sample set.
4. The method of claim 3, wherein the scanning a set of target alarm data corresponding to the same type of root cause alarm to construct a set of target alarm samples comprises:
scanning the alarm data, and arranging the target alarm identifications in the pointer list by taking a second condition as a sequence according to a preset second condition;
and constructing the target alarm sample set according to the pointer list.
5. An alarm prediction apparatus, comprising:
the first acquisition unit is used for acquiring the currently generated alarm, wherein the alarm is a message list formed by compressing the same type of alarm messages;
the second acquisition unit is used for acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in preset first time, each frequent alarm sequence corresponds to one root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets related to the root cause alarms;
the notification unit is used for notifying an alarm associated with the currently generated alarm according to the currently generated alarm acquired by the first acquisition unit, the historical alarm sequence sample set acquired by the second acquisition unit and a preset first threshold, wherein the occurrence probability of the associated alarm is greater than the first threshold;
wherein the second obtaining unit includes:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring root cause alarms from a historical alarm data set, and the frequency of the root cause alarms is greater than a preset first frequency threshold;
a second obtaining module, configured to obtain, according to the root cause alarm obtained by the first obtaining module, alarm data meeting a preset first condition from the historical alarm data set, where the alarm data includes multiple alarms meeting the first condition with the root cause alarm;
the third acquisition module is used for acquiring target alarms according to the occurrence frequency of the alarm data which is acquired by the second acquisition module and meets the preset first condition and a preset second frequency threshold, wherein the occurrence frequency of the target alarms is greater than the second frequency threshold;
the aggregation module is used for aggregating target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold;
wherein the notification unit includes:
the searching module is used for finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set according to the identifier corresponding to the currently generated alarm;
the fourth acquisition module is used for acquiring prefixes and extracting corresponding projection databases from the corresponding frequent alarm sequences;
the execution module is used for calculating the probability of each alarm in the projection database, and deleting the alarm identification with the probability of occurrence smaller than the first threshold value so as to update the corresponding frequent alarm sequence;
the execution module is further configured to bind the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, and find projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence; executing calculation and deletion actions until the projection data are empty;
and the notification module is used for notifying the reserved warning.
6. The apparatus of claim 5, wherein the first obtaining module is specifically configured to:
scanning the historical alarm data set in the preset first time, wherein the historical alarm data comprises a classification key field, and the classification key field comprises an object field used for representing an object and/or an index field used for representing a monitoring index;
determining the frequency of each type of historical alarm according to the classification key fields contained in the historical alarm data;
and obtaining root cause alarms according to the frequency of each type of historical alarms and the first frequency threshold.
7. The apparatus according to claim 5, wherein the aggregation module is specifically configured to:
scanning a target alarm data set corresponding to root cause alarms of the same class to construct a target alarm sample set, wherein the target alarm sample set comprises a pointer list and a necklace table corresponding to the pointer list, and the pointer list comprises at least one target alarm identifier, occurrence frequency corresponding to the alarm identifier and a pointer pointing to a corresponding item linked list;
for each target alarm, acquiring a corresponding condition mode base, wherein the condition mode base is a set of paths ending in the target alarm;
determining a frequent alarm in the set of paths, the frequent alarm being an alarm in the set of paths that occurs more frequently than the second threshold;
and deleting target alarms in the set of paths, wherein the frequency of the target alarms in the set of paths is less than the second threshold value, and updating the target alarm sample set to form the historical alarm sequence sample set.
8. An alarm prediction system comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors to cause the one or more programs to include instructions for:
acquiring a currently generated alarm, wherein the alarm is a message list formed by compressing alarm messages of the same type;
acquiring a historical alarm sequence sample set, wherein the historical alarm sequence sample set comprises a plurality of frequent alarm sequences in a preset first time, each frequent alarm sequence corresponds to a root cause alarm, and the frequent alarm sequences comprise a plurality of chronologically arranged frequent alarm item sets associated with the root cause alarms;
according to the currently generated alarm, the historical alarm sequence sample set and a preset first threshold value, notifying an alarm associated with the currently generated alarm, wherein the probability of occurrence of the associated alarm is greater than the first threshold value;
wherein the obtaining a sample set of historical alert sequences comprises:
acquiring root cause alarms from a historical alarm data set, wherein the occurrence frequency of the root cause alarms is greater than a preset first frequency threshold;
acquiring alarm data meeting a preset first condition from the historical alarm data set according to the root cause alarm, wherein the alarm data comprises a plurality of alarms meeting the first condition with the root cause alarm;
acquiring target alarms according to the occurrence frequency of the alarm data meeting the preset first condition and a preset second frequency threshold, wherein the occurrence frequency of the target alarms is greater than the second frequency threshold;
aggregating target alarms corresponding to the same type of root cause alarms to generate a frequent alarm sequence, wherein the frequency of the frequent alarms contained in the frequent alarm sequence appearing in a path set ending with the target alarms is greater than a preset second threshold;
wherein the notifying of the alarm associated with the currently generated alarm based on the currently generated alarm, the sample set of historical alarm sequences, and a preset first threshold comprises:
according to the identification corresponding to the currently generated alarm, finding out a frequent alarm sequence corresponding to the currently generated alarm from the historical alarm sequence sample set;
acquiring a prefix, and extracting a corresponding projection database from the corresponding frequent alarm sequence;
calculating the occurrence probability of each alarm in the projection database, and deleting the alarm identification with the occurrence probability smaller than the first threshold value so as to update the corresponding frequent alarm sequence;
respectively binding the identifier of the current prefix with the identifiers of the reserved alarms to form a new prefix, finding out projection data corresponding to the new prefix from the updated corresponding frequent alarm sequence, and executing calculation and deletion actions until the projection data are empty;
the reserved warning is announced.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the alarm prediction method of any one of claims 1 to 4.
CN201910025698.5A 2019-01-11 2019-01-11 Alarm prediction method, device, system and storage medium Active CN109617745B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910025698.5A CN109617745B (en) 2019-01-11 2019-01-11 Alarm prediction method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910025698.5A CN109617745B (en) 2019-01-11 2019-01-11 Alarm prediction method, device, system and storage medium

Publications (2)

Publication Number Publication Date
CN109617745A CN109617745A (en) 2019-04-12
CN109617745B true CN109617745B (en) 2022-03-04

Family

ID=66015673

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910025698.5A Active CN109617745B (en) 2019-01-11 2019-01-11 Alarm prediction method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN109617745B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245168B (en) * 2019-06-20 2021-08-31 国网江苏省电力有限公司南京供电分公司 Method and system for extracting abnormal event characteristic signals in power grid historical alarm
CN111726248A (en) * 2020-05-29 2020-09-29 北京宝兰德软件股份有限公司 Alarm root cause positioning method and device
CN111666198A (en) * 2020-06-10 2020-09-15 创新奇智(上海)科技有限公司 Log abnormity monitoring method and device and electronic equipment
CN112087334B (en) * 2020-09-09 2022-10-18 中移(杭州)信息技术有限公司 Alarm root cause analysis method, electronic device and storage medium
CN115314412B (en) * 2022-06-22 2023-09-05 北京邮电大学 Operation-and-maintenance-oriented type self-adaptive index prediction and early warning method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111296A (en) * 2011-01-10 2011-06-29 浪潮通信信息系统有限公司 Mining method for communication alarm association rule based on maximal frequent item set
CN107239388A (en) * 2017-05-27 2017-10-10 郑州云海信息技术有限公司 A kind of monitoring alarm method and system
CN108880915A (en) * 2018-08-20 2018-11-23 全球能源互联网研究院有限公司 A kind of information network security of power system warning information wrong report determination method and system
CN109117941A (en) * 2018-07-16 2019-01-01 北京思特奇信息技术股份有限公司 Alarm prediction method, system, storage medium and computer equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10628801B2 (en) * 2015-08-07 2020-04-21 Tata Consultancy Services Limited System and method for smart alerts

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111296A (en) * 2011-01-10 2011-06-29 浪潮通信信息系统有限公司 Mining method for communication alarm association rule based on maximal frequent item set
CN107239388A (en) * 2017-05-27 2017-10-10 郑州云海信息技术有限公司 A kind of monitoring alarm method and system
CN109117941A (en) * 2018-07-16 2019-01-01 北京思特奇信息技术股份有限公司 Alarm prediction method, system, storage medium and computer equipment
CN108880915A (en) * 2018-08-20 2018-11-23 全球能源互联网研究院有限公司 A kind of information network security of power system warning information wrong report determination method and system

Also Published As

Publication number Publication date
CN109617745A (en) 2019-04-12

Similar Documents

Publication Publication Date Title
CN109617745B (en) Alarm prediction method, device, system and storage medium
EP3467661B1 (en) Systems and methods for robust anomaly detection
CN105095056B (en) A kind of method of data warehouse data monitoring
US8861691B1 (en) Methods for managing telecommunication service and devices thereof
US20160055044A1 (en) Fault analysis method, fault analysis system, and storage medium
CN111294217A (en) Alarm analysis method, device, system and storage medium
CN107766533B (en) Automatic detection method and system for telephone traffic abnormality, storage medium and electronic equipment
CN111294819B (en) Network optimization method and device
CN111324511B (en) Alarm rule generation method and device, electronic equipment and storage medium
CN110471945B (en) Active data processing method, system, computer equipment and storage medium
CN112765161B (en) Alarm rule matching method and device, electronic equipment and storage medium
WO2016150468A1 (en) Building and applying operational experiences for cm operations
CN111552607A (en) Health evaluation method, device and equipment of application program and storage medium
CN111966762A (en) Index acquisition method and device
CN112988521A (en) Alarm method, device, equipment and storage medium
US20150120940A1 (en) Apparatus and method for changing resource using pattern information, and recording medium using the same
JP6917874B2 (en) System characterization system and system characterization device
CN116795631A (en) Service system monitoring alarm method, device, equipment and medium
CN116166820A (en) Visualized knowledge graph generation method and device based on provider data
WO2018122889A1 (en) Abnormality detection method, system, and program
CN110600112B (en) Method, device and equipment for discovering quality problems of parts
CN110941608B (en) Method, device and equipment for generating buried point analysis and funnel analysis report
CN109885467B (en) Data fluctuation alarming method and device, storage medium and electronic equipment
CN110109959B (en) Data processing method, device, server and storage medium
Mijumbi et al. MAYOR: machine learning and analytics for automated operations and recovery

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant